Manually collect metrics from a Windows host in ITSI (2024)

You can manually set up a universal forwarder to collect metrics from a Windows host. Manually configure metrics collection for a host when you meet at least one of these conditions:

You're collecting data from a host on a closed network with no internet access.
You already installed a universal forwarder on the host.
You don't have trusted URLs you can download the required packages from.

If you also want to manually collect log data from a Windows host, see Manually collect logs from a Windows host in ITSI.

Prerequisites

Requirement Description

Windows host See Windows operating system support.

Dependencies See Required Windows dependencies.

Administrator role

Requirement	Description
Windows host	See Windows operating system support.
Dependencies	See Required Windows dependencies.
Administrator role	In Splunk Enterprise, you have to be a user with the `admin` role. In Splunk Cloud Platform, you have to be a user with the `sc_admin` role.

In Splunk Enterprise, you have to be a user with the admin role.

In Splunk Cloud Platform, you have to be a user with the sc_admin role.

Steps

Follow these steps to manually collect metrics from a windows host.

1. Install the universal forwarder on Windows

Install a universal forwarder on the host. For information about installing a universal forwarder, see Install a Windows universal forwarder from an installer in the Forwarder Manual.

If you already installed a universal forwarder, you can skip this step.

2. Get available Windows Performance Monitor (perfmon) counters

Use the typeperf command to get a list of the available perfmon counters.

To get a list of all available counters, run this command:

typeperf -q

To get a list of all available counters for a specific perfmon object, run this command:

typeperf -q objectName

where objectName is the object you want to view available counters for.

For more information about using the typeperf command on a Windows host, see typeperf on the Microsoft website.

3. Configure inputs.conf on the universal forwarder

Configure inputs.conf on the universal forwarder to set up receiving and specify perfmon objects to monitor in ITSI.

Create the ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config directory if it doesn't already exist.
Create inputs.conf at ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config\local\ if it doesn't already exist.
Open inputs.conf with a text editor.

Add a [perfmon://name] stanza for each perfmon object you want to collect data for. Include these values for the stanza parameters:

Parameter	Description
counters	Enter each counter you want to monitor for the object. Separate each counter with a semicolon. If you want to monitor all available counters, enter `*`.
instances	Enter each instance you want to collect counters for. If you want to monitor all available instances, enter `*`. An instance is also commonly known as a process.
object	Enter the perfmon object you want to monitor.
mode	Enter `single`. ITSI doesn't support the `multikv` mode.
index	Enter the index you use to collect metrics. By default, the index is itsi_im_metrics. If you want to use a custom index, see Use custom metric indexes in ITSI.
interval	How often, in seconds, to poll for new data.
_meta	Enter any other field-value pair as a custom dimension to identify the host. For example, `datacenter::DC1`
useEnglishOnly	Enter `true`. This enables you to enter counters and store them in indexes in English.
sourcetype	Enter `PerfmonMetrics:metricName` where `metricName` is the metric the object represents.
disabled	Enter `0` to enable the object.

Here's an example stanza for the Processor object:

[perfmon://CPU]counters =% C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Timeinstances = *interval = 30mode = singleobject = Processorindex = itsi_im_metricsuseEnglishOnly = truesourcetype = PerfmonMetrics:CPUdisabled = 0

For more information about perfmon stanzas, see Performance Monitor in the Splunk Enterprise Admin Manual.

When you're done, save and close the file.
Restart splunkd. If you also need to configure outputs.conf in the next step, you can wait to restart splunkd until after you've configured outputs.conf as well.
```
$SPLUNK_HOME\bin\splunk restart
```

4. Configure outputs.conf on the universal forwarder

Configure outputs.conf on the universal forwarder to define how the universal forwarder sends data to your Splunk platform deployment. If you've already done this, skip this step.

Create the ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config directory if it doesn't already exist.
Open outputs.conf with a text editor.
Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For more information, see Configuration levels for outputs.conf in the Splunk Universal Forwarder Forwarder Manual.
Save and close outputs.conf.
Restart splunkd.
```
$SPLUNK_HOME\bin\splunk restart
```

Example inputs.conf file for a universal forwarder

[perfmon://CPU]counters=% C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Reserved Time;% Interrupt Time;% Privileged Time; Interrupts/sec;instances=*object=Processormode=singleindex=itsi_im_metricsinterval=60sourcetype=PerfmonMetrics:CPUdisabled=false[perfmon://LogicalDisk]counters=Free Megabytes;% Free Space; Avg. Disk sec/Transferinstances=*object=LogicalDiskmode=singleindex=itsi_im_metricsinterval=60sourcetype=PerfmonMetrics:LogicalDiskdisabled=false[perfmon://Memory]counters=Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes; Available MBytesobject=Memorymode=singleindex=itsi_im_metricsinterval=60sourcetype=PerfmonMetrics:Memorydisabled=false[perfmon://Network]counters=Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors;Current Bandwidthinstances=*object=Network Interfacemode=singleindex=itsi_im_metricsinterval=60sourcetype=PerfmonMetrics:Networkdisabled=false[perfmon://PhysicalDisk]counters=% Disk Read Time;% Disk Write Time;Avg. Disk Queue Length;% Idle Time; Avg. Disk Bytes/Read; Avg. Disk Bytes/Writeinstances=*object=PhysicalDiskmode=singleindex=itsi_im_metricsinterval=60sourcetype=PerfmonMetrics:PhysicalDiskdisabled=false[perfmon://Process]counters=% Processor Time;% User Time;% Privileged Time;Elapsed Time;ID Process;Virtual Bytes;Working Set;Private Bytes;IO Read Bytes/sec;IO Write Bytes/sec;instances=*object=Processmode=singleindex=itsi_im_metricsinterval=60sourcetype=PerfmonMetrics:Processdisabled=false[perfmon://System]counters = Processor Queue Length;Threads;System Up Timeinstances = *object = Systemmode = singleindex = itsi_im_metricsinterval = 60sourcetype = PerfmonMetrics:Systemdisabled = false

Example outputs.conf file for a universal forwarder

[tcpout]defaultGroup = splunk-app-infra-autolb-group[tcpout:splunk-app-infra-autolb-group]disabled = falseserver = <monitoring_machine>:<receiver_port>

Setting	Description
`monitoring_machine`	The hostname or IP address of the Splunk Enterprise instance you want to send log data to.
`receiver_port`	The port that your Splunk platform deployment uses to receive data.